CTSRD CRASH-worthy Trustworthy Systems Research and Development - PowerPoint PPT Presentation

CTSRD CTSRD CRASH-worthy Trustworthy Systems Research and Development The CHERI CPU RISC in the age of risk David Chisnall University of Cambridge Approved for public release; distribution is unlimited. This research is sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contracts FA8750-10-C-0237 and FA8750-11-C-0249. The views, opinions, and/or findings contained in this article/presentation are those of the author(s)/ presenter(s) and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.

Memory: You’re doing it wrong! ~82% of exploited vulnerabilities in 2012 — Software Vulnerability Exploitation Trends, Microsoft 2

Low-level languages rule C: 8,323,328,367 lines of code C++: 2,966,693,989 lines of code New code committed Java: 2,861,498,030 lines of code Scala:13,780,744 lines of code Source: openhub.net 3

Security is important again Multi-user systems Disconnected single- user systems Single-user, multi-attacker systems 4

RISC is for compilers • Nothing that can be done fast in software should be done in hardware. • Everything that can only be done well in hardware should be in hardware. 5

The CHERI model • Memory protection as a first-class part of the ISA • A single abstraction for bounds checking and sandboxing • Mechanism in the hardware, policy in software 6

Pointers should be capabilities • Smalltalk (Java, etc) pointers confer the rights to access an object. • C pointers can (in practice) be constructed from arbitrary integers. • Capabilities are unforgeable tokens of authority. 7

CHERI capabilities ISA Operations 32 capability registers Field Operation base ¡[64] Permissions Bitwise and length ¡[64] Increment (and Base decrease length) Permissions ¡[32] Type ¡[24] Reserved ¡[8] Length Decrease virtual ¡address ¡[64] ¡(exposed ¡as ¡offset) Arbitrary Offset manipulation 8

Tags to Protect Capabilities in Memory 1 bit 256 bits TAGS DATA Capabilities on the stack and in data structures 9

Address Calculation Instruction Legacy Capability Fetch Data Access Data Access $PC $R n $C n Offset $PCC $C0 Virtual Address TLB Physical Address Physical Memory 10

Tag Table in Commodity DRAM 128 tag bits per TAGS Tag Lookup 4KB page <0.5% (with cache) L2 Cache DRAM DATA Tags on physical Cache line is memory tag(s) + data 11

Paged Memory • OS managed • Enables swapping • Centralised • Allows revocation Address validation 12

Capabilities • Compiler managed • Precise • Can be delegated • Many domains Pointer safety 13

Paged Memory + CHERI Capabilities • OS managed • Compiler managed • Enables swapping • Precise • Centralised • Can be delegated • Allows revocation • Many domains Address validation Pointer safety 14

Memory safety in hardware • All memory accesses must be via a valid capability • Instructions only allow restricting range / permissions of capabilities • Now all we need is software… 15

Building on open source • A full open source stack: • LLVM/Clang-based compiler. • Modified FreeBSD. • Extended BERI processor. • Real software from the FreeBSD ports collection. 16

Process start • $c0 and $pcc cover the entire address space. • Unmodified code is completely oblivious. • CHERI-aware code can derive restricted capabilities from either. • Compartments can be created by discarding/ subsetting $c0 in some threads. 17

Don’t break the world! • Code that doesn’t contain memory safety errors should work! • Even if it does slightly (or very) evil things with pointers! • Ideally only code with memory safety errors should break. 18

C is weird • Long standard describes allowed behaviour. • Lots of things are implementation defined or undefined . • All nontrivial programs depend on implementation- defined behaviour. • Breaking this makes programmers cranky! • We discovered most of these things when we broke them and tried to compile real programs (e.g. tcpdump) 19

Pointers and Integers 7.20.1.4 Integer types capable of holding object pointers 1 The following type designates a signed integer type with the property that any valid pointer to void can be converted to this type, then converted back to pointer to void , and the result will compare equal to the original pointer: intptr_t The following type designates an unsigned integer type with the property that any valid pointer to void can be converted to this type, then converted back to pointer to void , and the result will compare equal to the original pointer: void *a = something(); uintptr_t intptr_t b = (intptr_t)a; a = (void*)b; These types are optional. 7.20.1.5 Greatest-width integer types void *a = something(); Implementation defined! long long b = (long long)a; a = (void*)b; 20

Simple Problem: memcpy() struct foo { void *a; int b; }; struct foo new = old; memcpy(&new, &old, sizeof(struct foo); The memcpy() function doesn’t know if it’s copying pointers or data! 21

Pointers as capabilities C code used __capability qualifier to tag pointers to be represented as capabilities // 64-bit integer (address) void *foo; // 256-bit capability __capability int *bar; // Increment offset by sizeof(int) bar++; // Load 4 bytes at offset+sizeof(int) bar[1]; 22

Enabling pointer abuse // The low bit of a sensibly aligned pointer is // always 0, so we can hide a flag in it __capability int *set_flag(__capability int *b) { return (__capability int*)((__intcap_t)b | 1); } 23

Enabling pointer abuse # Integer constant 1 daddiu $1, $zero, 1 # Derive a canonical null capability cfromptr $c1, $c0, $zero # Set intcap_t (tag not valid) to 1 csetoffset $c1, $c1, $1 # Get the integer values of both operands cgetoffset $1, $c1 cgetoffset $2, $c3 # Perform the arithmetic or $1, $1, $2 # Set the offset in the original capability csetoffset $c3, $c3, $1 24

Legacy interoperability (is hard) void *foo; __capability char *bar; // What does this do? bar = (__capability char *)foo; // Or this? foo = (void *)bar; 25

First cut at Casts # Cast from pointer ($1) to capability ($c1) CIncBase $c1, $c0, $1 # Cast from capability ($c1) to pointer ($1) CGetBase $c1, $1 • What happens if the pointer is null? • What happens if the capability is outside the $c0 range or $c0 has a non-zero offset? 26

NULL in C §6.3.2.3.3: An integer constant expression with the value 0, or such an expression cast to type void * , is called a null pointer constant . 66 ) If a null pointer constant is converted to a pointer type, the resulting pointer, called a null pointer , is guaranteed to compare unequal to a pointer to any object or function. void *null = (void*)0; int a = 0; void *might_be_null = (void*)a; No C programmer has ever paid attention to this! 27

Casts in CHERI # Cast from pointer ($1) to capability ($c1) CFromPtr $c1, $c0, $1 # Cast from capability ($c1) to pointer ($1) CToPtr $1, $c0, $c1 • CFromPtr gives a null capability if the integer is 0 • CToPtr gives a 0 integer if the capability is null or outside of $c0 28

Where do bounds come from? • An object in C is a single allocation. • OpenSSL’s Heartbleed vulnerability was caused (partly) by splitting allocations. • Some programmer policy is essential! • Sizes of globals, stack allocations, malloc() calls are not enough (but they’re a good start!) 29

Safer returning Capabilities are for code, not just for christmas data MIPS CHERI jalr $t9, $ra cjalr $c12, $c17 Call jr $ra cjr $c17 Return Spill return address sd $ra, 32($sp) csc $c17, $sp, 32($c11) to stack Behaviour if spilled Jump somewhere Trap value is corrupted (attacker’s choice) 30

Comparing pointers • C says it’s undefined behaviour to compare pointers to different objects • C programmers do it all the time • CHERI adds pointer compare instructions 31

Some evil things people do to pointers • Store them in integer variables (works if they’re [u]intcap_t) • Do arbitrary arithmetic on them • Let them go out of range in the middle of a calculation • Compare pointers to different objects All of these need to work! 32

A tale of 2 3 ABIs • Incremental deployment is vital for testing • Rewriting (or even recompiling) all code at once isn’t feasible More compatible More safe n64 n64 + CHERI Pure-capability Pure MIPS Some pointers All pointers are are capabilities capabilities 33

The pure-capability ABI • Code where all pointers are capabilities. • May have a null $c0 . • Can only see a subset of all memory. • Incompatible with syscall ABI. 34

CHERI-friendly libraries • Always use typedefs for pointer types. • Don’t put struct definitions for opaque types in headers. • Separate file-handling layers (that make syscalls) from buffer-handling layers. • Write good code! 35